Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Better challenge derivation #27

Merged
merged 7 commits into from
May 4, 2023
Merged

Better challenge derivation #27

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
223b610
Add rng for use for fiat-shamir challenge deriving
maurges May 2, 2023
9188d65
Challenge uses hashing random
maurges May 2, 2023
8a42a44
simpler generation scheme for Rmod
maurges May 2, 2023
3f9987c
Fmt, clippy and docs
maurges May 2, 2023
50f1cf3
Fix incorrect rounding up causing bogus tests
maurges May 3, 2023
c8620d6
Remove redundant traits. Simplify tests
maurges May 3, 2023
5952860
Simpler size generation
maurges May 4, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions src/common.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
pub mod rng;
pub mod sqrt;

use crate::unknown_order::BigNumber;
Expand Down
89 changes: 89 additions & 0 deletions src/common/rng.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,89 @@
use sha2::digest;
use sha2::digest::Digest;

/// Pseudo-random generateur that obtains values by hashing the provided values
/// salted with an internal counter. The counter is prepended to conserve
/// entropy.
///
/// Having u64 counter means that the period of the sequence is 2^64 times
/// `Digest::OutputSize` bytes
pub struct HashRng<F, D: Digest> {
hash: F,
counter: u64,
buffer: digest::Output<D>,
offset: usize,
}

impl<F, D: Digest> HashRng<F, D> {
/// Create the RNG from the hash finalization function. Use it like this:
/// ```ignore
maurges marked this conversation as resolved.
Show resolved Hide resolved
/// HashRng::new(|d| d.chain_update("my_values").finalize())
/// ```
pub fn new(hash: F) -> Self
where
F: Fn(D) -> digest::Output<D>,
{
let d: D = D::new().chain_update(0u64.to_le_bytes());
let buffer: digest::Output<D> = hash(d);
HashRng {
hash,
counter: 1,
offset: 0,
buffer,
}
}
}

impl<F, D> rand_core::RngCore for HashRng<F, D>
where
D: Digest,
F: Fn(D) -> digest::Output<D>,
{
fn next_u32(&mut self) -> u32 {
const SIZE: usize = std::mem::size_of::<u32>();
// NOTE: careful with SIZE usage, otherwise it panics
if self.offset + SIZE > self.buffer.len() {
self.buffer = (self.hash)(D::new().chain_update(self.counter.to_le_bytes()));
self.counter = self.counter.wrapping_add(1);
self.offset = 0;
}
let bytes = &self.buffer[self.offset..self.offset + SIZE];
self.offset += SIZE;
#[allow(clippy::expect_used)]
let bytes: [u8; SIZE] = bytes.try_into().expect("Size mismatch");
u32::from_le_bytes(bytes)
}

fn next_u64(&mut self) -> u64 {
rand_core::impls::next_u64_via_u32(self)
}

fn fill_bytes(&mut self, dest: &mut [u8]) {
rand_core::impls::fill_bytes_via_next(self, dest)
}

fn try_fill_bytes(&mut self, dest: &mut [u8]) -> Result<(), rand_core::Error> {
self.fill_bytes(dest);
Ok(())
}
}

#[cfg(test)]
mod test {
use rand_core::RngCore;
use sha2::Digest;

#[test]
fn generate_bytes() {
let hash = |d: sha2::Sha256| d.chain_update("foobar").finalize();
let mut rng = super::HashRng::new(hash);

// Check that it doesn't panic for any window size
for _ in 0..100 {
let size = usize::from(rng.next_u32().to_le_bytes()[0]) + 1;
maurges marked this conversation as resolved.
Show resolved Hide resolved
let mut buffer = Vec::new();
buffer.resize(size, 0);
rng.fill_bytes(&mut buffer);
}
}
}
46 changes: 24 additions & 22 deletions src/group_element_vs_paillier_encryption_in_range.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -343,26 +343,28 @@ pub mod non_interactive {
) -> Challenge
where
Scalar<C>: FromHash,
D: Digest<OutputSize = U32>,
D: Digest,
{
use rand_core::SeedableRng;
let seed = shared_state
.chain_update(C::CURVE_NAME)
.chain_update(aux.s.to_bytes())
.chain_update(aux.t.to_bytes())
.chain_update(aux.rsa_modulo.to_bytes())
.chain_update((security.l as u64).to_le_bytes())
.chain_update((security.epsilon as u64).to_le_bytes())
.chain_update(data.key0.to_bytes())
.chain_update(data.c.to_bytes())
.chain_update(data.x.to_bytes(true))
.chain_update(commitment.s.to_bytes())
.chain_update(commitment.a.to_bytes())
.chain_update(commitment.y.to_bytes(true))
.chain_update(commitment.d.to_bytes())
.finalize();

let mut rng = rand_chacha::ChaCha20Rng::from_seed(seed.into());
let shared_state = shared_state.finalize();
maurges marked this conversation as resolved.
Show resolved Hide resolved
let hash = |d: D| {
d.chain_update(&shared_state)
.chain_update(C::CURVE_NAME)
.chain_update(aux.s.to_bytes())
.chain_update(aux.t.to_bytes())
.chain_update(aux.rsa_modulo.to_bytes())
.chain_update((security.l as u64).to_le_bytes())
.chain_update((security.epsilon as u64).to_le_bytes())
.chain_update(data.key0.to_bytes())
.chain_update(data.c.to_bytes())
.chain_update(data.x.to_bytes(true))
.chain_update(commitment.s.to_bytes())
.chain_update(commitment.a.to_bytes())
.chain_update(commitment.y.to_bytes(true))
.chain_update(commitment.d.to_bytes())
.finalize()
};

let mut rng = crate::common::rng::HashRng::new(hash);
super::interactive::challenge::<C, _>(&mut rng)
}
}
Expand Down Expand Up @@ -428,7 +430,7 @@ mod test {
epsilon: 300,
};
let plaintext = BigNumber::from_rng_pm(&(BigNumber::one() << security.l), &mut rng);
run(rng, security, plaintext).expect("proof failed");
run::<_, C>(rng, security, plaintext).expect("proof failed");
}

fn failing_test<C: Curve>()
Expand All @@ -441,7 +443,7 @@ mod test {
epsilon: 300,
};
let plaintext = BigNumber::from(1) << (security.l + security.epsilon + 1);
let r = run(rng, security, plaintext).expect_err("proof should not pass");
let r = run::<_, C>(rng, security, plaintext).expect_err("proof should not pass");
match r.reason() {
InvalidProofReason::RangeCheck(_) => (),
e => panic!("proof should not fail with: {e:?}"),
Expand Down Expand Up @@ -492,7 +494,7 @@ mod test {

let rng = rand_chacha::ChaCha20Rng::seed_from_u64(0);
assert!(maybe_rejected(rng), "should pass");
let rng = rand_chacha::ChaCha20Rng::seed_from_u64(1);
let rng = rand_chacha::ChaCha20Rng::seed_from_u64(2);
assert!(!maybe_rejected(rng), "should fail");
}
}
34 changes: 18 additions & 16 deletions src/no_small_factor.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -346,23 +346,25 @@ pub mod non_interactive {
security: &SecurityParams,
) -> Challenge
where
D: Digest<OutputSize = U32>,
D: Digest,
{
use rand_core::SeedableRng;
let seed = shared_state
.chain_update(aux.s.to_bytes())
.chain_update(aux.t.to_bytes())
.chain_update(aux.rsa_modulo.to_bytes())
.chain_update(data.n.to_bytes())
.chain_update(data.n_root.to_bytes())
.chain_update(commitment.p.to_bytes())
.chain_update(commitment.q.to_bytes())
.chain_update(commitment.a.to_bytes())
.chain_update(commitment.b.to_bytes())
.chain_update(commitment.t.to_bytes())
.chain_update(commitment.sigma.to_bytes())
.finalize();
let mut rng = rand_chacha::ChaCha20Rng::from_seed(seed.into());
let shared_state = shared_state.finalize();
let hash = |d: D| {
d.chain_update(&shared_state)
.chain_update(aux.s.to_bytes())
.chain_update(aux.t.to_bytes())
.chain_update(aux.rsa_modulo.to_bytes())
.chain_update(data.n.to_bytes())
.chain_update(data.n_root.to_bytes())
.chain_update(commitment.p.to_bytes())
.chain_update(commitment.q.to_bytes())
.chain_update(commitment.a.to_bytes())
.chain_update(commitment.b.to_bytes())
.chain_update(commitment.t.to_bytes())
.chain_update(commitment.sigma.to_bytes())
.finalize()
};
let mut rng = crate::common::rng::HashRng::new(hash);
super::interactive::challenge(security, &mut rng)
}

Expand Down
62 changes: 32 additions & 30 deletions src/paillier_affine_operation_in_range.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -458,31 +458,33 @@ pub mod non_interactive {
security: &SecurityParams,
) -> Challenge
where
D: Digest<OutputSize = U32>,
D: Digest,
{
use rand_core::SeedableRng;
let seed = shared_state
.chain_update(aux.s.to_bytes())
.chain_update(aux.t.to_bytes())
.chain_update(aux.rsa_modulo.to_bytes())
.chain_update((security.l_x as u64).to_le_bytes())
.chain_update((security.l_y as u64).to_le_bytes())
.chain_update((security.epsilon as u64).to_le_bytes())
.chain_update(data.key0.to_bytes())
.chain_update(data.key1.to_bytes())
.chain_update(data.c.to_bytes())
.chain_update(data.d.to_bytes())
.chain_update(data.y.to_bytes())
.chain_update(data.x.to_bytes(true))
.chain_update(commitment.a.to_bytes())
.chain_update(commitment.b_x.to_bytes(true))
.chain_update(commitment.b_y.to_bytes())
.chain_update(commitment.e.to_bytes())
.chain_update(commitment.s.to_bytes())
.chain_update(commitment.f.to_bytes())
.chain_update(commitment.t.to_bytes())
.finalize();
let mut rng = rand_chacha::ChaCha20Rng::from_seed(seed.into());
let shared_state = shared_state.finalize();
let hash = |d: D| {
d.chain_update(&shared_state)
.chain_update(aux.s.to_bytes())
.chain_update(aux.t.to_bytes())
.chain_update(aux.rsa_modulo.to_bytes())
.chain_update((security.l_x as u64).to_le_bytes())
.chain_update((security.l_y as u64).to_le_bytes())
.chain_update((security.epsilon as u64).to_le_bytes())
.chain_update(data.key0.to_bytes())
.chain_update(data.key1.to_bytes())
.chain_update(data.c.to_bytes())
.chain_update(data.d.to_bytes())
.chain_update(data.y.to_bytes())
.chain_update(data.x.to_bytes(true))
.chain_update(commitment.a.to_bytes())
.chain_update(commitment.b_x.to_bytes(true))
.chain_update(commitment.b_y.to_bytes())
.chain_update(commitment.e.to_bytes())
.chain_update(commitment.s.to_bytes())
.chain_update(commitment.f.to_bytes())
.chain_update(commitment.t.to_bytes())
.finalize()
};
let mut rng = crate::common::rng::HashRng::new(hash);
super::interactive::challenge::<C, _>(&mut rng)
}
}
Expand Down Expand Up @@ -565,7 +567,7 @@ mod test {
};
let x = BigNumber::from_rng_pm(&(BigNumber::one() << security.l_x), &mut rng);
let y = BigNumber::from_rng_pm(&(BigNumber::one() << security.l_y), &mut rng);
run(rng, security, x, y).expect("proof failed");
run::<_, C>(rng, security, x, y).expect("proof failed");
}

fn failing_on_additive<C: Curve>()
Expand All @@ -580,7 +582,7 @@ mod test {
};
let x = BigNumber::from_rng_pm(&(BigNumber::one() << security.l_x), &mut rng);
let y = (BigNumber::one() << (security.l_y + security.epsilon)) + 1;
let r = run(rng, security, x, y).expect_err("proof should not pass");
let r = run::<_, C>(rng, security, x, y).expect_err("proof should not pass");
match r.reason() {
InvalidProofReason::RangeCheck(7) => (),
e => panic!("proof should not fail with: {e:?}"),
Expand All @@ -599,7 +601,7 @@ mod test {
};
let x = (BigNumber::from(1) << (security.l_x + security.epsilon)) + 1;
let y = BigNumber::from_rng_pm(&(BigNumber::one() << security.l_y), &mut rng);
let r = run(rng, security, x, y).expect_err("proof should not pass");
let r = run::<_, C>(rng, security, x, y).expect_err("proof should not pass");
match r.reason() {
InvalidProofReason::RangeCheck(6) => (),
e => panic!("proof should not fail with: {e:?}"),
Expand Down Expand Up @@ -658,7 +660,7 @@ mod test {

let mut rng = rand_chacha::ChaCha20Rng::seed_from_u64(5);
assert!(maybe_rejected(&mut rng), "should pass");
let mut rng = rand_chacha::ChaCha20Rng::seed_from_u64(6);
let mut rng = rand_chacha::ChaCha20Rng::seed_from_u64(0);
assert!(!maybe_rejected(&mut rng), "should fail");
}

Expand All @@ -681,10 +683,10 @@ mod test {
}
}

let rng = rand_chacha::ChaCha20Rng::seed_from_u64(1);
let rng = rand_chacha::ChaCha20Rng::seed_from_u64(0);
assert!(maybe_rejected(rng), "should pass");

let rng = rand_chacha::ChaCha20Rng::seed_from_u64(2);
let rng = rand_chacha::ChaCha20Rng::seed_from_u64(1);
assert!(!maybe_rejected(rng), "should fail");
}
}
23 changes: 10 additions & 13 deletions src/paillier_blum_modulus.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -257,22 +257,19 @@ pub mod non_interactive {
commitment: &Commitment,
) -> Challenge<M>
where
D: Digest<OutputSize = U32> + Clone,
D: Digest,
{
use rand_core::SeedableRng;
// since we can't use Default and BigNumber isn't copy, we initialize
// like this
let mut ys = [(); M].map(|()| BigNumber::zero());
for (i, y_ref) in ys.iter_mut().enumerate() {
let seed = shared_state
.clone()
let shared_state = shared_state.finalize();
let hash = |d: D| {
d.chain_update(&shared_state)
.chain_update(n.to_bytes())
.chain_update(commitment.w.to_bytes())
.chain_update((i as u64).to_le_bytes())
.finalize();
let mut rng = rand_chacha::ChaCha20Rng::from_seed(seed.into());
*y_ref = BigNumber::from_rng(n, &mut rng);
}
.finalize()
};
let mut rng = crate::common::rng::HashRng::new(hash);
// since we can't use Default and BigNumber isn't copy, we initialize
// like this
let ys = [(); M].map(|()| BigNumber::from_rng(n, &mut rng));
Challenge { ys }
}
}
Expand Down
34 changes: 18 additions & 16 deletions src/paillier_decryption_modulo_q.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -289,23 +289,25 @@ pub mod non_interactive {
commitment: &Commitment,
) -> Challenge
where
D: Digest<OutputSize = U32>,
D: Digest,
{
use rand_core::SeedableRng;
let seed = shared_state
.chain_update(aux.s.to_bytes())
.chain_update(aux.t.to_bytes())
.chain_update(aux.rsa_modulo.to_bytes())
.chain_update(data.q.to_bytes())
.chain_update(data.key.to_bytes())
.chain_update(data.c.to_bytes())
.chain_update(data.x.to_bytes())
.chain_update(commitment.s.to_bytes())
.chain_update(commitment.t.to_bytes())
.chain_update(commitment.a.to_bytes())
.chain_update(commitment.gamma.to_bytes())
.finalize();
let mut rng = rand_chacha::ChaCha20Rng::from_seed(seed.into());
let shared_state = shared_state.finalize();
let hash = |d: D| {
d.chain_update(&shared_state)
.chain_update(aux.s.to_bytes())
.chain_update(aux.t.to_bytes())
.chain_update(aux.rsa_modulo.to_bytes())
.chain_update(data.q.to_bytes())
.chain_update(data.key.to_bytes())
.chain_update(data.c.to_bytes())
.chain_update(data.x.to_bytes())
.chain_update(commitment.s.to_bytes())
.chain_update(commitment.t.to_bytes())
.chain_update(commitment.a.to_bytes())
.chain_update(commitment.gamma.to_bytes())
.finalize()
};
let mut rng = crate::common::rng::HashRng::new(hash);
super::interactive::challenge(data, &mut rng)
}

Expand Down
Loading